Security Conference Frets Over Social Media and Mounting Threats

LAS VEGAS — About 50 credit union information technology executives filled the meeting room at the Platinum Hotel and, over three days at the annual CU Information Security Conference. They heard that the threats are mounting, they are getting more sophisticated and the probability is high is that they will only get tougher.

That is because smart crooks no longer rob financial institutions with a mask and a gun. They use a computer mouse and a browser and if they are slick, they may rival the $45 million stolen by a ragtag gang of cybercriminals in a blitzkrieg crime revealed by the FBI in May. Those crooks figured out how to falsify information associated with prepaid cards issued by several Middle Eastern banks and in a few blinks of an eye, millions vanished and, once gone, it probably is gone forever.

Credit union executives in attendance at the event said that the credit union employee remains a weak link that criminals, increasingly, are targeting.

That is why the IT director at a large East Coast credit union said that his security problem was “people, people, people. We need to keep training them.” He saw only an increasing need for training to guard against phishing probes and similar attempts to con credit union employees to part with their log in credentials.

Other executives said they will impose more tests of employees’ security awareness via USB drive drops, phishing emails and emails with links to corrupted websites. They said they will hold employees responsible for getting savvier to better handle the flood of threats coming their way.

In a like vein, a vice president for IT at a mid-sized credit union in the West said his big take away from the conference was that he needs to institute more internal controls. “We were on the cusp of relaxing staff access to social media sites before the conference. Now, if anything, we’ll be tightening down access to social media sites.”

He added that “We will encourage the CEO to support us for limiting [Internet] access for senior management.”

That latter initiative was prompted by information revealed at the conference by Bruce Smalley, an executive with ACI Defense, that in the last year at least two credit unions suffered severe malware infections that came in through the CEO’s computer, one of few in the institution that had free range of the Internet.

Savvy crooks know that, suggested Smalley, and they are aggressively seeking ways to exploit this letting down of the institution’s guard, which is why at least some credit union security experts now are seeking to close the loophole.

For Andrew Voorhies, a vice president at $1.5 billion Stanford Federal Credit Union in Palo Alto, Calif., his take way focused on social media. “Traditionally, credit unions manage brand protection by reserving web domains or monitoring for unacceptable brand use. The big take away from the conference was the consideration of a control to manage all social media domains and future new entries to the industry. With Web domain registration, it is straightforward yet with social media it requires more diligence on a more routine basis. Today Stanford FCU does reserve social media domains so the control and increased management was the take away.”

That insight was largely prompted by a stern warning from Mike Kiefer, an executive with BrandPtotect, that every credit union needs to reserve its social media domains on Facebook, Twitter, Linkedin, Google+. He flashed a slide of a hijacked Bank of America social domain to prove his point. It took giant BofA several days to convince Google to give it control of its domain, said Kiefer, and that incident apparently resonated with multiple conference attendees.

At least one attendee, a IT security executive with a large East Coast credit union, expressed surprise about who was at the conference. “I was surprised to see the relative immaturity of information security within the credit union space (I spent three decades with community banks). Many conference attendees were system administrators, CIOs, even CEOs. There were few that I met that weren’t wearing multiple hats for one and responsible for both ends of the security equation to boot.” His point was that nowadays information security demands a dedicated, full-time effort because the crooks are forever gaining in sophistication.